Perl module installation via CPAN and signature error

To: debian-user@lists.debian.org
Subject: Perl module installation via CPAN and signature error
From: Vincent Lefevre <vincent@vinc17.net>
Date: Thu, 11 Jan 2024 23:55:39 +0100
Message-id: <[🔎] 20240111225539.GA722826@qaa.vinc17.org>
Mail-followup-to: debian-user@lists.debian.org

Hi,

I have 2 Debian/unstable machines on the same network, with the
same .cpan/CPAN/MyConfig.pm file.

On one of them, I get no errors:

qaa:~> cpan -i XML::RPC
CPAN: HTTP::Tiny loaded ok (v0.086)
CPAN: Net::SSLeay loaded ok (v1.92)
CPAN: IO::Socket::SSL loaded ok (v2.084)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/vinc17/.cpan/sources/authors/01mailrc.txt.gz'
CPAN: Compress::Zlib loaded ok (v2.204)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz
Reading '/home/vinc17/.cpan/sources/modules/02packages.details.txt.gz'
  Database was generated on Thu, 11 Jan 2024 21:54:02 GMT
CPAN: HTTP::Date loaded ok (v6.06)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'XML::RPC'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN: Digest::SHA loaded ok (v6.04)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
WARNING: This key is not certified with a trusted signature!
Primary key fingerprint: 2E66 557A B97C 19C7 91AF  8E20 328D A867 450F 89EC
Signature for /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS ok
Checksum for /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz ok
Package came without SIGNATURE

CPAN: YAML loaded ok (v1.31)
[...]
  CAVAC/XML-RPC-2.tar.gz
  /bin/make install  -- OK

But on the other one (an older machine), I get an error:

zira:~> cpan -i XML::RPC
CPAN: HTTP::Tiny loaded ok (v0.086)
CPAN: Net::SSLeay loaded ok (v1.92)
CPAN: IO::Socket::SSL loaded ok (v2.084)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/vinc17/.cpan/sources/authors/01mailrc.txt.gz'
CPAN: Compress::Zlib loaded ok (v2.206)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz
Reading '/home/vinc17/.cpan/sources/modules/02packages.details.txt.gz'
  Database was generated on Thu, 11 Jan 2024 21:54:02 GMT
CPAN: HTTP::Date loaded ok (v6.06)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'XML::RPC'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN: Digest::SHA loaded ok (v6.04)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
gpg: Signature made 2023-12-17T16:29:09 CET
gpg:                using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key

Signature for file /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS could not be verified for an unknown reason. Distribution id = C/CA/CAVAC/XML-RPC-2.tar.gz
    CPAN_USERID  CAVAC (Rene Schickbauer <cavac@cpan.org>)
    CALLED_FOR   XML::RPC
    CHECKSUM_STATUS 
    CONTAINSMODS XML::RPC
    UPLOAD_DATE  2022-03-09
    incommandcolor 1
    localfile    /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
    mandatory    1
    negative_prefs_cache 0
    prefs        HASH(0x55eef7851f20)
    reqtype      c

Module::Signature verification returned value 0E0

The manual says for this case: Cannot verify the
OpenPGP signature, maybe due to the lack of a network connection to
the key server, or if neither gnupg nor Crypt::OpenPGP exists on the
system. You probably want to analyse the situation and if you cannot
fix it you will have to decide whether you want to stop this session
or you want to turn off signature verification. The latter would be
done with the command 'o conf init check_sigs'

----

Note that every public key given by "gpg --list-public-keys" on qaa
are on zira too.

Where does the problem come from?

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Perl module installation via CPAN and signature error
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?
Next by Date: Re: Perl module installation via CPAN and signature error
Previous by thread: [SOLVED] Re: Libreoffice hangs at start
Next by thread: Re: Perl module installation via CPAN and signature error
Index(es):
- Date
- Thread